Hi All, I'm probably doing something wrong here, but I don't see what it is.
I'm calling SSL_CTX_load_verify_locations() with a CAT of PEM files. I'm not calling SSL_CTX_set_default_verify_paths(): /* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */ /* I've also tried with a PATH of "./" */ ret = SSL_CTX_load_verify_locations(ctx, "random-org-ca-chain.pem", NULL); ssl_err = ERR_get_error(); ASSERT(1 == ret); if(!(1 == ret)) { pkp_display_warning("SSL_CTX_load_verify_locations", (long)ssl_err); break; /* failed */ } Later, when the host's certificate is verified, I get a failure at depth 2. At 2, the certificate is "AddTrust External CA Root" (a Comodo certificate), and the error is 20 (unable to get local issuer certificate). But the certificate is explicitly loaded in the PEM file above. I uploaded the file at http://www.megafileupload.com/en/file/392206/random-org-ca-chain-pem.html. I've used `openssl x509 -text -in "AddTrust External CA Root.pem"` (copied out directly from s_client), and everything looks OK. CA is TRUE, AKI is present, KU includes "Certificate Sign, CRL Sign", etc. I also have everything fully ASSERT'd, so I'm not silently failing anywhere (that I am aware of). The chain can be examined on the target at https://www.random.org (or using $ echo "GET / HTTP1.0" | openssl s_client -showcerts -connect www.random.org:443). Any ideas? Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org